Versions Compared

Old Version 4

changes.mady.by.user user-f8986

Saved on

compared with

New Version 5

changes.mady.by.user user-f8986

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

The deployer role refers to the individual or organization responsible for the fielded systems that use or otherwise depend on products with vulnerabilities.

Deployers include the following:

  • network and cloud infrastructure providers
  • <anything>-as-a-service providers
  • outsourced IT operations
  • in-house IT operations
  • individual users

Deployers typically must take some action in response to a vulnerability in a product they've deployed. Most often this means deploying a patch, but it can also involve the application of security controls, such as reconfiguring defensive systems, adding monitoring or detection rules, or applying mitigations. 

...

  • Become aware of vulnerability, mitigation, and/or fix.
  • Prioritize the mitigation or fix into existing workload (triage).
  • Test the mitigation or fix.
  • Confirm that the fix addresses the problem.
  • Avoid undesirable side effects.
  • Identify affected systems and plan the deployment:
  • staged or all-at-once
  • automated or manual
  • scheduled update window or out-of-band
  • Deploy the mitigation or fix to affected systems.

We cover each of these in more detail below.

...

Deployers should be on the lookout for and pay attention to:

  • vendor Vendor security notices
  • vendor Vendor customer support notices (not all vendors provide separate security notices, nor are all vulnerabilities always explicitly called out in update notes)
  • vulnerability Vulnerability and threat intelligence services
  • security Security discussions online including social media
  • mass Mass media coverage of vulnerabilities

...

  • The system's availability and performance are critical.
  • Reverting a patch deployment gone bad is difficult.

In environments with efficient automated deployment and rollback capabilities, it may not be as necessary to test as heavily. But that's often an ideal scenario that few deployers find themselves in. Staged deployments or rollouts can be a significant help here—where some portion of the affected systems are updated to confirm the fix prior to wider rollout—allowing deployers to balance patch deployment with the risk of negative side effects.

...